Overview

overview

10

Static

static

b134b88cf0...8c.exe

windows7-x64

10

b134b88cf0...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b134b88cf0bf5e70ecf38fc79f79e57899cc4234915326a95722eed155c6318c.exe

  • Size

    104KB

  • MD5

    f0249f17b408fb2534a92bb57f46cea7

  • SHA1

    b8d61dfe8c7172b6e43e776e9ffe65a245b40804

  • SHA256

    b134b88cf0bf5e70ecf38fc79f79e57899cc4234915326a95722eed155c6318c

  • SHA512

    f93cd2dba4d5db2d45e5617c64183c7904c484d4b861e4795f8348f5a2ff858166a35205632695c02090a53ea4baeb06730de1cb391ca829e8bb90b5382c27a9

  • SSDEEP

    1536:Tc53fETlgZScK43sKeWjwJBAOs9G2HaQNsMj3i6E3j:453fEakIsK0IHxN/Oj

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b134b88cf0bf5e70ecf38fc79f79e57899cc4234915326a95722eed155c6318c.exe
    "C:\Users\Admin\AppData\Local\Temp\b134b88cf0bf5e70ecf38fc79f79e57899cc4234915326a95722eed155c6318c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Users\Admin\tuuno.exe
      "C:\Users\Admin\tuuno.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tuuno.exe
    Filesize

    104KB

    MD5

    feee710fbcb085b32937dd83005e8b75

    SHA1

    4ad9478031dd5003c64eafba8785aa9fe2fdaf1d

    SHA256

    73c12b32d7884af23de759123c93ef900e14de42b4da65914cdfade1474dbc99

    SHA512

    aee013974153b93e26d08f8d135ba5cf849943d4db171deec1a07318a4b4984982834867a9b03cd38ac4c320506358efbc0c222e3713a9aa76dff5144c2fa12e

    Download Submit

  • C:\Users\Admin\tuuno.exe
    Filesize

    104KB

    MD5

    feee710fbcb085b32937dd83005e8b75

    SHA1

    4ad9478031dd5003c64eafba8785aa9fe2fdaf1d

    SHA256

    73c12b32d7884af23de759123c93ef900e14de42b4da65914cdfade1474dbc99

    SHA512

    aee013974153b93e26d08f8d135ba5cf849943d4db171deec1a07318a4b4984982834867a9b03cd38ac4c320506358efbc0c222e3713a9aa76dff5144c2fa12e

    Download Submit

  • memory/3796-134-0x0000000000000000-mapping.dmp

    Download